Control | AIE Rules & Alarms | Investigations | Summary Reports |
|---|
AC-2 | CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Disabled Account Auth Success
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
AC-3 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Disabled Account Auth Success
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Unknown User Account Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
AC-4 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm | CCF: Account Modification Inv
CCF: Audit Log Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: Vulnerability Detected Summary |
AC-6 | CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
AC-7 | CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Distributed Brute Force
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm | CCF: Audit Log Inv
CCF: Excessive Authentication Failure Inv | CCF: Access Failure Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary |
AC-10 | CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
AC-16 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
AC-17 | CCF: Abnormal Origin Location
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Disabled Account Auth Success
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Non-Encrypted Protocol Alarm
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
AC-18 | CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Disabled Account Auth Success
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
AC-20 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
AC-21 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Social Media Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Social Media Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
AC-23 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
AC-24 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Non-Encrypted Protocol Alarm
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
AC-25 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Non-Encrypted Protocol Alarm
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
AU-3 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
AU-4 | CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Time Sync Error Alarm | CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Critical Environment Error Inv
CCF: Time Sync Error Inv | CCF: Audit Log Summary
CCF: Backup Activity Summary
CCF: Critical Environment Error Summary
CCF: Time Sync Error Summary |
AU-5 | CCF: Abnormal Amount of Data Transferred
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Time Sync Error Alarm | CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Time Sync Error Inv | CCF: Audit Log Summary
CCF: Backup Activity Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Time Sync Error Summary |
AU-6 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
AU-7 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
AU-8 | CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Config Change After Attack
CCF: Config Modified
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Time Sync Error Alarm | CCF: Audit Log Inv
CCF: Time Sync Error Inv | CCF: Audit Log Summary
CCF: Time Sync Error Summary |
AU-9 | CCF: Abnormal Amount of Data Transferred
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm | CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Config/Policy Change Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Physical Access Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv | CCF: Audit Log Summary
CCF: Backup Activity Summary
CCF: Config/Policy Change Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary |
AU-10 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Social Media Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
AU-11 | CCF: Abnormal Amount of Data Transferred
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Time Sync Error Alarm | CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Physical Access Inv
CCF: Time Sync Error Inv CCF: Excessive Authentication Failure Inv | CCF: Audit Log Summary
CCF: Backup Activity Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Physical Access Summary
CCF: Time Sync Error Summary |
AU-12 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
AU-13 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Social Media Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Social Media Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
AU-14 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
AU-15 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
CA-2 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Non-Encrypted Protocol Alarm
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
CA-7 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
CM-3 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Signature Activity Summary
CCF: Term Account Activity Summary
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
CM-5 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Signature Activity Summary
CCF: Term Account Activity Summary
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
CM-6 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Signature Activity Summary
CCF: Term Account Activity Summary
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
CM-7 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Signature Activity Summary
CCF: Term Account Activity Summary
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
CM-8 | CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm | CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv | CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary |
CM-11 | CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm | CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv | CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary |
CM-12 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Signature Activity Summary
CCF: Term Account Activity Summary
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
CP-6 | CCF: Abnormal Amount of Data Transferred
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Config Change After Attack
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm | CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Physical Access Inv CCF: Excessive Authentication Failure Inv | CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Backup Activity Summary
CCF: Critical Environment Error Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Physical Access Summary
CCF: Time Sync Error Summary |
CP-7 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
CP-9 | CCF: Abnormal Amount of Data Transferred
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Time Sync Error Alarm | CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Critical Environment Error Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Physical Access Inv
CCF: Time Sync Error Inv
CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv | CCF: Audit Log Summary
CCF: Backup Activity Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: User Object Access Summary |
CP-13 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
IA-2 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
IA-3 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
IA-4 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
IA-5 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
IA-7 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
IA-8 | CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
IA-9 | CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
IP-2 | CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
IA-10 | CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
IP-4 | CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
IA-12 | CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
IP-3 | CCF: Abnormal Amount of Data Transferred
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm | CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: User Object Access Inv | CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary |
IR-4 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
IR-5 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Compromises Detected Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Compromises Detected Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
IR-6 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
IR-7 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
IR-9 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
IR-10 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
MA-2 | CCF: Abnormal Amount of Data Transferred
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Config Change After Attack
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Suspicious Users Inv
CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv | CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Signature Activity Summary
CCF: Top Suspicious Users
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
MA-3 | CCF: Abnormal Amount of Data Transferred
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Config Change After Attack
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Signature Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
MA-4 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Config Change After Attack
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: User Misuse Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
MA-5 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
MA-6 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
MP-2 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
MP-4 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
MP-6 | CCF: Abnormal Amount of Data Transferred
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm | CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv | CCF: Audit Log Summary
CCF: LogRhythm Data Loss Defender Log Summary |
PA-3 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Disabled Account Auth Success
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
MP-7 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
MP-8 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
PA-4 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
PE-2 | CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm | CCF: Audit Log Inv
CCF: Physical Access Inv CCF: Excessive Authentication Failure Inv | CCF: Audit Log Summary
CCF: Physical Access Summary |
PE-3 | CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm | CCF: Audit Log Inv
CCF: Physical Access Inv CCF: Excessive Authentication Failure Inv | CCF: Audit Log Summary
CCF: Physical Access Summary |
PE-4 | CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm | CCF: Audit Log Inv
CCF: Physical Access Inv CCF: Excessive Authentication Failure Inv | CCF: Audit Log Summary
CCF: Physical Access Summary |
PE-5 | CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm | CCF: Audit Log Inv
CCF: Physical Access Inv CCF: Excessive Authentication Failure Inv | CCF: Audit Log Summary
CCF: Physical Access Summary |
PE-6 | CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm | CCF: Audit Log Inv
CCF: Physical Access Inv CCF: Excessive Authentication Failure Inv | CCF: Audit Log Summary
CCF: Physical Access Summary |
PE-7 | CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm | CCF: Audit Log Inv
CCF: Physical Access Inv CCF: Excessive Authentication Failure Inv | CCF: Audit Log Summary
CCF: Physical Access Summary |
PE-8 | CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm | CCF: Audit Log Inv
CCF: Physical Access Inv CCF: Excessive Authentication Failure Inv | CCF: Audit Log Summary
CCF: Physical Access Summary |
PL-4 | CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Corroborated Account Anomalies
CCF: Disabled Account Auth Success
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: User Misuse Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
PE-17 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
PL-8 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
PL-9 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
PM-14 | CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Time Sync Error Alarm | CCF: Audit Log Inv
CCF: Time Sync Error Inv | CCF: Audit Log Summary
CCF: Time Sync Error Summary |
PM-6 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
PM-12 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
PM-17 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
PM-23 | CCF: Abnormal Amount of Data Transferred
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Non-Encrypted Protocol Alarm | CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv | CCF: Audit Log Summary
CCF: Backup Activity Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary |
PM-26 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
PS-4 | CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Unknown User Account Inv
CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Unknown User Account Detail
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
PS-5 | CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Unknown User Account Inv
CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Unknown User Account Detail
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
PS-7 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Disabled Account Auth Success
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Social Media Inv
CCF: Unknown User Account Inv
CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Social Media Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
PS-8 | CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Disabled Account Auth Success
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
RA-2 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
RA-3 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
RA-7 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
SA-3 | CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm | CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv | CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary |
SA-4 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Uninstall Rule
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
SA-5 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Software Install Rule
CCF: Software Uninstall Rule
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Unknown User Account Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Signature Activity Summary
CCF: Term Account Activity Summary
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
SA-9 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
SA-10 | CCF: Abnormal Amount of Data Transferred
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Blacklisted Account Alarm
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: User Misuse Inv
CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Signature Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
SA-18 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
SA-19 | CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
SC-2 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
SC-3 | CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Disabled Account Auth Success
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
SC-4 | CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
SC-5 | CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Denial Of Service Alarm
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm | CCF: Audit Log Inv
CCF: Denial Of Service Inv | CCF: Audit Log Summary |
SC-7 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
SC-8 | CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: Password Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
SC-10 | NetMon | NetMon | NetMon |
SC-13 | CCF: Abnormal Amount of Data Transferred
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Non-Encrypted Protocol Alarm | CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Use Of Non-Encrypted Protocols Inv | CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Use Of Non-Encrypted Protocols Summary |
SC-16 | CCF: Abnormal Amount of Data Transferred
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Time Sync Error Alarm | CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Use Of Non-Encrypted Protocols Inv | CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Use Of Non-Encrypted Protocols Summary |
SC-18 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Suspected Wireless Attack Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Compromises Detected Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
SC-20 | NetMon | NetMon | NetMon |
SC-21 | NetMon | NetMon | NetMon |
SC-22 | NetMon | NetMon | NetMon |
SC-23 | NetMon | NetMon | NetMon |
SC-24 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Software Install Rule
CCF: Software Uninstall Rule
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm | CCF: Account Modification Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Patch Activity Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Suspected Wireless Attack Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
SC-26 | LogRhythm Honeypot Security Analytics Suite | LogRhythm Honeypot Security Analytics Suite | LogRhythm Honeypot Security Analytics Suite |
SC-27 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Software Install Rule
CCF: Software Uninstall Rule
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm | CCF: Account Modification Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Suspected Wireless Attack Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Patch Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Vulnerability Detected Summary |
SC-28 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Social Media Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Social Media Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
SC-31 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Software Install Rule
CCF: Software Uninstall Rule
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm | CCF: Account Modification Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Suspected Wireless Attack Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Patch Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Vulnerability Detected Summary |
SC-35 | LogRhythm Honeypot Security Analytics Suite | LogRhythm Honeypot Security Analytics Suite | LogRhythm Honeypot Security Analytics Suite |
SC-36 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
SC-38 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
SC-40 | CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm | CCF: Account Modification Inv
CCF: Audit Log Inv
CCF: Compromises Detected Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: Malware Detected Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Compromises Detected Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Malware Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary |
SC-41 | NetMon | | |
SI-2 | CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Failed Audit Log Write Alarm
CCF: Linux sudo Privilege Escalation
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Patch Activity Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv | CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary |
SI-3 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
SI-4 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
SI-5 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
SI-6 | CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Disabled Account Auth Success
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: User Object Access Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary |
SI-7 | CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary |
SI-8 | CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Critical Event After Attack
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: Malware Detected Inv
CCF: Password Modification Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: User Misuse Inv
CCF: Vulnerability Detected Inv | CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Malware Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Misuse Summary
CCF: Vulnerability Detected Summary |
SI-10 | | | |
SI-11 | CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Backup Failure Alarm
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Time Sync Error Alarm | CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Critical Environment Error Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Time Sync Error Inv | CCF: Audit Log Summary
CCF: Backup Activity Summary
CCF: Critical Environment Error Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Time Sync Error Summary |
SI-12 | CCF: Abnormal Amount of Data Transferred
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Social Media Event | CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Social Media Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv | CCF: Audit Log Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Social Media Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary |
SI-14 | CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Security Event
CCF: Compromise Detected Alarm
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm | CCF: Audit Log Inv
CCF: Compromises Detected Inv
CCF: Denial Of Service Inv
CCF: Host Access Granted And Revoked Inv
CCF: Malware Detected Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: User Misuse Inv
CCF: Vulnerability Detected Inv CCF: Excessive Authentication Failure Inv | CCF: Audit Log Summary
CCF: Compromises Detected Summary
CCF: Host Access Granted And Revoked Detail
CCF: Malware Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Misuse Summary
CCF: Vulnerability Detected Summary |
SI-15 | NetMon | NetMon | NetMon |
SI-16 | CCF: Abnormal Amount of Data Transferred
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm | CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Social Media Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv | CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Social Media Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary |
SI-17 | CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Time Sync Error Alarm | CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Time Sync Error Inv | CCF: Audit Log Summary
CCF: Backup Activity Summary
CCF: Critical Environment Error Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Time Sync Error Summary |
SI-18 | CCF: Abnormal Amount of Data Transferred
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Non-Encrypted Protocol Alarm | CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv | CCF: Audit Log Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary |
SI-19 | CCF: Abnormal Amount of Data Transferred
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Non-Encrypted Protocol Alarm | CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv | CCF: Audit Log Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary |
